Malicious RTF — malware analysis report

Static analysis result for SHA-256 735a532a6216d06c…

MALICIOUS

RTF

523.5 KB First seen: 2020-07-02
MD5: 71aa497faae2a905d4bdf4e1235e0838 SHA-1: f330e5b053ba63b0ff594b00919b13b1a7c0a680 SHA-256: 735a532a6216d06c0543580595fd5275c8ee69b83c54641035864ae64d2445f8
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as a malicious RTF dropper by ClamAV, specifically flagging an exploit for CVE-2015-1641. The presence of OLE object data further indicates embedded malicious content. This suggests the document is designed to exploit a client-side vulnerability to download and execute a secondary payload, likely delivered via spearphishing.

Heuristics 3

  • ClamAV: Rtf.Dropper.Agent-1817350 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-1817350
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000072.bin rtf-objdata-decoded RTF \objdata at offset 0x72 2614 bytes
SHA-256: bfd3610398fd1b19acbdcec337c59bf7b76f27fb18fa556d0e1dcef44295e9d4
objdata_01_off000015e5.bin rtf-objdata-decoded RTF \objdata at offset 0x15E5 55869 bytes
SHA-256: 39d0213ba46bf478ea979a713187d6c9a038329e1544d9e3484d26e598cd0c89
Detection
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload: unlikely